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Abstract. In this paper we present InterHorn, a solver for recursion- 
free Horn clauses. The main application domain of InterHorn lies in 
solving interpolation problems arising in software verification. We show 
how a range of interpolation problems, including path, transition, nested, 
state/transition and well-founded interpolation can be handled directly 
by InterHorn. By detailing these interpolation problems and their Horn 
clause representations, we hope to encourage the emergence of a common 
back-end interpolation interface useful for diverse verification tools. 



1 Introduction 

Interpolation is a key ingredient of a wide range of software verification tools 
that is used to compute approximations of sets and relations over program states, 
see e.g. [THUnHHHUIIHl^lllIllMlllS]- These approximations come in different 
forms, e.g., as path interpolation [IB], transition interpolation [Tj5], nested inter- 
polation |15| . state/transition interpolation [T], or well-founded interpolation [TJ. 
As a result algorithms and tools for solving interpolation problems have become 
an important area of research contributing to the advances in state-of-the-art of 
software verification. 

In this paper we present InterHorn, a solver for constraints in form of 
recursion-free Horn clauses that can be applied on various interpolation prob- 
lems occurring in software verification. InterHorn takes as input clauses whose 
literals are either assertions in the theory of linear arithmetic or unknown rela- 
tions. In addition, InterHorn also accepts well-foundedness conditions on the 
unknown relations. The set of input clauses can represent either a DAG or a 
tree of dependencies between interpolants to be discovered. The output of In- 
terHorn is cither an interpretation of unknown relations in terms of linear 
arithmetic assertions that turns the input clauses into valid implication over ra- 
tionals/reals and satisfies well-foundedness conditions, or the statement that no 
such interpretation exists. InterHorn is sound and complete for clauses without 
well-foundedness conditions. (InterHorn is incomplete when well-foundedness 
conditions are present, since it relies on synthesis of linear ranking functions.) 
InterHorn is a part of a general solver for recursive Horn clauses [5] and 
has already demonstrated its practicability in a software verification competi- 
tion [S]. The main novelty offered by InterHorn wrt. existing interpolating 



procedures [3Hrjl rTUIl2"2] lies in the ability to declaratively specify the interpola- 
tion problem as a set of recursion-free Horn clauses and the support for well- 
foundedness conditions. 

We proceed by illustrating how interpolation problems can be represented as 
recursion- free Horn clauses - the input to InterHorn. Then we briefly describe 
the algorithm implemented by InterHorn as well as give some implementation 
details. 

2 Interpolation by solving recursion-free Horn clauses 

In this section we provide examples of how interpolation related problems aris- 
ing in software verification can be formulated as solving of recursion-free Horn 
clauses. This collection of examples is not exhaustive and serves as an illustration 
of the approach. We omit any description of how interpolation is used by veri- 
fication methods, since it is out of scope of this paper, and rather focus on the 
form of interpolation problems and their representation as recursion-free Horn 
clauses. Further examples can be found in the literature, e.g., [5], as well as are 
likely to emerge in the future. 

Path interpolation Interpolation can be used for the approximation of sets 
of states reachable by a program along a given path, see e.g. [TB]. A flat pro- 
gram (transition system) consists of program variables v, an initiation condition 
init(v), a set of program transitions {nexti(v,v'), . . . , next^{v, v')}, and a de- 
scription of safe states safe(v). A path is a sequence of program transitions. 

Given a path next\{v, v'), . . . , next n (v, v'), the path interpolation problem is 
to find assertions Io(v),Ii(v), . . . ,I n (v) such that: 

init(v) — >• Iq(v), 

Ik-i(v) A nextk(v,v') — > Ik(v'), for each k G l..n 
I n (v) ->• safe(v). 

We observe that there are no recursive dependencies induced by above impli- 
cations between the intcrpolants to be discovered, i.e., Iq(v) does not depend 
on any other interpolant, while I\(v) depends on Iq(v), and I n (v) depends on 
Iq(v), . . . , I n -±(v). InterHorn leverages such absence of dependency cycles in 
our solving algorithm, see Section [3] 

Transition interpolation Interpolation can be applied to compute 
over-approximation of program transitions, see e.g. |19| . Given a path 
nexti(v, v'),..., next n (v, v'), a transition interpolation problem is to find 
Ti («,«'),..., T n (v, v') such that: 

nextk(v,v') — > Tk(v,v'), for each k G l..n 

init(v ) ATi(uo,Ui) A • • • A T„(v n -i,v n ) ->■ safe(v„). 

Again, we note there are no recursive dependencies between the assertions to be 
computed. 
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Well-founded interpolation We can also use interpolation in combination 
with additional well-foundcdness constraints when proving program termina- 
tion, see e.g. [7J. We assume a path stem\{v, v'), . . . , stem m (v, v') that contains 
transitions leading to a loop entry point, and a path loop^v, v'), . . . , loop n (v, v') 
around the loop. A well-founded interpolation problem amounts to finding 
I Q (v),Ii(v), . . . ,I m (v), and Ti (v,v'), . . .,T n (v,v') such that: 

init(v) — > Iq(v), 

Ik-i(v) A stemk(v,v') — > Ik(v'), for each k G l..m 

I m (v) A loop 1 (v,v') -> Tx(v, v'), 

T fc _i(u,u') A loop k (v',v") -> T k (v,v"), for each fc e 2.,n 
wf(T n (v,v')). 

Note that last clause, which is a unit clause, requires that the relation T n (v,v') 
is well-founded, i.e., does not admit any infinite chains. 

Search tree interpolation Interpolation has been used for optimizing the 
search for solutions for a constraint programming goal |18| . In that work, it is 
considered the case when the search tree corresponds to the state space explo- 
ration of an imperative program in order to prove some safety property. A node 
from the tree is labeled with a formula s(v) that is a symbolic representation 
for reachable states at a program point. The tree structure corresponds to pro- 
gram transitions, a node n has as many children as the transitions starting at 
the program point corresponding to n , i.e., next\{v, v'), . . . , next m {v, v') . To 
optimize the search, symbolic states are generalized by computing interpolants 
in post-order tree traversal. During the tree traversal, for a node n , initially 
labeled sq , and having children with labels s\ to s m , a generalized label of 
the node n is computed as h(v) A •■ • A I m (v) and is subject to the following 
implications: 

SoO) — > Ji(u) A • • • A I m (v) 

Ik{v) — > {next k(v,v') — > Sk{v')) for each k € l..m 
These implications correspond to the following recursion-free Horn clauses, 

Sq(v) — > Ik(v), for each k 6 l..m 

Ik{v) — > (3v' : nextk(v,v') —> Sk(v')), for each k <G l..m 

where the quantifier elimination in 3v' : nextk{v,v') —> Sfc(u') can be automated 
for nextk and Sft background constraints in the theory of linear arithmetic. 

Nested interpolation For programs with procedures, interpolation can com- 
pute over-approximations of sets of program states that are expressed over vari- 
ables that are in scope at respective program locations, see e.g. [XMIo] . A pro- 
cedural program consists of a set of procedures P including the main procedure 
main, global program variables g that includes a dedicated variable for return 
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value passing, as well as procedure descriptions. For each procedure p € P we 
provide its local variables l p , a finite set of intra-procedural program transi- 
tions of the form inst p (g,l p , g' ,l' p ), a finite set of call transitions of the form 
call p ' q (g, l p , lq) where q £ P is the name of the callee, a finite set of return tran- 
sitions of the form ret p (g, l p , g f ), as well as a description of safe states safe p (g, l p ). 

A path in a procedural program is a sequence of program transitions (in- 
cluding intra-procedural, call and return transitions) that respects the calling 
discipline, which we do not formalize here. 

Given a path next\(v, v'), . . . , next„(v, v'). Find Iq(vq), ii(«i), ... , I n (v n ), 
where vq, . . . ,v n are determined through the following implications, such that: 

ifiiti^g^ Imain) ^ -^o(^i Imain): 



{inst p (g 7 l p ,g' 7 l' p ) ->• h{g' , l' p ), if next k {v,v') = inst p (g 7 l p7 g',l' p ) 
call p ' q (g 7 l p , l q ) -> I k (g, lq), if next k (v, v') = call p ' q (g, l p , l q ) 
ret p (g,l p ,g') ->■ I k (g',l q ), if next k (v,v') = ret p (g,l p , g') returns to q 



for each k € l..n 

AiG?) 'p) ~~ ^ sa f eP (9> lp), when next n (v, v') occurs in procedure p. 

Similarly to the previously described interpolation problems, there are no recur- 
sive dependencies in the above clauses. 

State/transition interpolation As illustrated by the example of well-founded 
interpolation, interpolants can represent over-approximations of sets of states 
as well as binary relations. The Whale algorithm provides a further example 
of such usage pQ. Given a sequence of assertions next\{v, v ),..., next n (v, v ) 
that represent an under-approximation of a path through a procedure with a 
guard g(v) and a summary s(y, v'). Find guards G\(v ), . . . , G n (v) and summaries 
S±(v, v'), . . . , S n (v, v') such that: 



There are no recursive dependencies among the unknown guards and summaries. 

Solving unfoldings of recursive Horn clauses A variety of reachability and 
termination verification problems for programs with procedures, multi-threaded 
programs, and functional programs can be formulated as the satisfiability of a 
set of recursive Horn clauses, e.g., [§ UT21ll4j . These clauses are obtained from the 
program during a so-called constraint generation step. The satisfiability check- 
ing performed during the constraint solving step amounts to the inference of 
inductive invariants, procedure summaries, function types and other required 
auxiliary assertions. Existing solvers, e.g., HSF [9] and [iZ [17], rely on solving 



next k (v, v') -4 S k (v, v'), 
g(v) -> Gi(v), 

G k (v) A S k (v, v') G k+1 {v') 
G n (v) A S n (v, v') -> s(v,v'). 



for each k G l..n 



for each k S l..n — 1 
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recursion-free unfoldings when iteratively constructing a solution for recursive 
Horn clauses. 

We illustrate the generation of recursion-free unfolding using an invariance 
proof rule for flat programs. This rule can be formalised by as follows. For a 
given program find an invariant Inv(v) such that 

init(v) —> Inv(v), 

Inv(v) A next(v,v') — > Inv(v'), for each program transition next(v, v') 
Inv(v) — > safe(v). 

An unfolding of these recursive clauses introduces auxiliary relations that refer 
to Inv(v) at each intermediate step. For example we consider an unfolding that 
starts with the first clause above and then applies a clause from the second line 
for a transition next±(v, v') and then for a transition next2(v, v') before traversing 
the last clause. This unfolding is represented by the following recursion-free 
clauses: 

init(v) — > Invo(v), Invo(v) A nexti(v,v') — > InV\{v'), 
Inv\(v) A next2(v,v') — > Inv2(v'), Inv2(v) — > safe(v). 
A solution for these clauses contributes to solving the recursive clauses. 

3 Algorithm overview 

In this section we briefly describe how InterHorn solves recursion-free Horn 
clauses. We refer to [HI Section 7] for a solving algorithm for clauses linear 
rational arithmetic, to |13j for a treatment of a combined theory of linear ra- 
tional arithmetic and uninterpreted functions, and to [24] for a support of well- 
foundedness conditions. 

InterHorn critically relies on the following two observations. First, ap- 
plying resolution on clauses that describe the interpolation problem termi- 
nates and yields an assertion that does not contain any unknown relations. 
For example, resolution of clauses in Section [2] that describe path, transition, 
nested and state/transition interpolation results in the implication of the form 
init(vo) A (Al-=i nex tk(vk-i,Vk)) — > safe(v n ). Second, the obtained assertion is 
valid if and only if the set of clauses is satisfiable. From the proof of validity 
(or alternatively, from the proof of unsatisfiability of the negated assertion) we 
construct the solutions. 

Clauses without well-foundedness conditions InterHorn goes through 
three main steps when given a set of recursion-free clauses that does not con- 
tain any well-foundedness condition. For example, we consider the following 
recursion- free clauses as input: 

x > 10 — > p(x), p(u) A w = u + v — > q{v, ui), q(y, z) Ay < — > z > y. 

During the first step we apply resolution on the set of clauses. Since the 
clauses are recursion-free, the resolution application terminates. The result is 
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an assertion that only contains constraints from the background theory. After 
applying resolution we obtain for our example (note that we use fresh variables 
here to stress the fact that clauses are implicitly universally quantified): a > 
10Ac = a + 6A6<0^c>6. 

The second step amounts to checking the validity of the obtained assertion^ 
If the assertion is not valid then we report that the original set of clauses imposes 
constraints that cannot be satisfied. Otherwise we produce a proof of validity. In 
our example the proof of validity can be represented as a weighted sum of the 
inequalities in the antecedent of the implication, with the weights 1,-1, and 0, 
respectively. 

The third step traverses the input clauses and computes the solution as- 
signment by taking the proof into account. For the clause x > 10 — > p(x) 
we determine that x > 10 contributes to p(x) with a weight 1, since dur- 
ing the resolution x > 10 gave rise to a > 10 whose weight is 1. Thus we 
obtain p(x) = (x > 10). For the clause p(u) Aw = u + v —> q(v,w) we 
combine p(u) and w = u + v with the weight of the latter set to — 1, since 
w = u + v yielded a contribution to the proof with weight — 1. This leads to 
q(v, w) = (u> 10) + (-1) *(w = u + v) = (w > 10 + v). 

Finally. InterHorn outputs the solution: 

p(x) = (x> 10), q(v, w) = (w > 10 + v). 

We observe that the substitution of the solutions into the input clauses produces 
valid implications: x > 10 — > x > 10, u > 10Aw = u + v^>-w > 10 + v, and 
z>\0 + yAy<Q^z>y. 

Clauses with a well-foundedness condition In case of a well-foundcdness 
condition occurring in the input, InterHorn introduces additional steps to take 
this condition into account. For example, we consider the following recursion-free 
clauses with a well-foundedness condition as input: 

x > 10 — > p(x), p(u) Aw = u + v—t q(v, w), q{y, z)Aj/<0-> r(y, z), 

wf(r{s,t)). 

The first step is again the resolution of the given clauses that produces a 
clause providing an under-approximation for the relation that is subject to the 
wcll-foundcdncss condition. For our example, we obtain: a> 10 A c = a + b Ab < 
-> r(b, c). 

The second step attempts to find a well-founded relation that over- 
approximates the projection of the antecedent of the clause obtained by res- 
olution on the variables in its head. For our example this projection amounts to 
performing an existential quantifier elimination on 3a : a > 10 Ac = a + bAb < 0, 
which gives c > 10 + &A6 < 0. This relation is well-founded, which is witnessed by 
a ranking relation over b and c with a bound component b < and the decrease 
component c > b + 1. 

4 Instead of validity checking we can check satisfiability of the negated assertion. 
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The third step uses the well-founded over-approximation to construct a clause 
that introduces an upper bound on the relation under well-foundcdness condi- 
tion. This clause replaces the well-formedness condition by an approximation 
condition wrt. an assertion. For our example, the clause wf(r(s,t)) is replaced 
by the clause r(s, t)—^(s<0At>s + 1). 

Lastly, we apply the solving method for clauses without well-foundcdness 
conditions described previously. In our example, the set of clauses to be solved 
becomes: 

x > 10 — > p(x), p(u) A w = u + v — > q(v, w), q(y, z)Ai/<0-> r(y, z), 

r(s,t) ->■ (s < OAt > 8 + 1). 
Finally, InterHorn outputs the solution: 

p(x) = (x>10), q(v,w) = (w > 10 + v), r(s,t) = (s < OAt > s + 10). 

4 Implementation 

InterHorn is implemented in SICStus Prolog [35] . For computing proofs of va- 
lidity (resp. unsatisfiability) over linear rational arithmetic theory, InterHorn 
relies on a proof producing version of a simplex algorithm [11] . For computing 
well-founded approximations (also over linear rational arithmetic theory, Inter- 
Horn uses a linear ranking functions synthesis algorithm |23j . 

InterHorn accepts input cither in form of Prolog terms or as an SMTLIB2 
file, and outputs an appropriately formatted result. 

5 Conclusion 

We presented InterHorn, a solver for recursion-free Horn clauses that can be 
used to deal with various interpolation problems. The main directions for the 
future development include adding support for uninterpreted functions, along 
the lines of [T3), and integer arithmetic. 

After developing our work and submitting it to [27| . we became aware of a 
related work highlighting the relation between interpolation and recursion-free 
Horn clauses The authors of [25] show some interpolation problems that 
correspond to various fragments of recursion-free Horn clauses and establish 
complexity results for these fragments assuming the background theory of linear 
integer arithmetic. Our work is less concerned with the different fragments of 
recursion-free Horn clauses and more with how interpolation problems arise in 
software verification. The well-founded interpolation problem is beyond the scope 
of H5J. 
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